Managing Permissions on SAP Users or Groups
Use the post /v1/cckm/sap/groups/{id}/update-acls
API to grant permissions to users or groups to perform specific actions on the SAP groups. User ID and group are mutually exclusive – specify either.
For the first time users or groups, actions are permitted as configured by the CCKM administrator. However, if the permissions of a user or group need to be modified later, for example, a new action is to be permitted or an existing action is to be revoked, the CCKM administrator needs to set that particular action to true
or false
.
For example, a user or group is permitted actions, keycreate
, keyupload
, and keydelete
. Now, to permit one more action keyrestore
to the user or group, set "permit":true
and "actions": "keyrestore"
and run the API. Similarly, now to deny permission to the action "keycreate"
, set "permit":false
, "actions": "keycreate"
, and run the API.
Syntax
curl -k '<IP>/api/v1/cckm/sap/groups/{id}/update-acls' -X POST -H 'Authorization: AUTHTOKEN --compressed
Here, {id}
is the resource ID of the SAP group.
Request Parameters
Parameter | Type | Description |
---|---|---|
AUTHTOKEN | string | Authentication token. |
actions | array of strings | List of actions. The actions can be: • keycreate • keyupload • keyrotate • keyupdate • view • deletebackup • keydelete • keypurge • keyrestore • keysynchronize • keyrotatetonative • keyrotatetobyok • keyremove Refer to Actions for details. |
group | string | Name of the user group to be granted permissions. User ID and group are mutually exclusive - specify either. |
permit | boolean | Whether to permit users to perform specific operations. Set true to permit, false to deny. |
user_id | string | ID of the user to be granted permissions. User ID and group are mutually exclusive – specify either. |
Actions
The following table lists the accepted values:
APIs | Actions | Description |
---|---|---|
List | view | Permission to view groups and their keys. |
Create | keycreate | Permission to create SAP native keys. |
Upload | keyupload | Permission to upload the CipherTrust Manager keys to SAP. |
Delete | keydelete | Permission to delete SAP keys. |
Restore | keyrestore | Permission to restore backed up keys to groups. |
Update(Edit key) | keyupdate | Permission to update keys, for example, editing properties, enabling/disabling keys, enabling/disabling key version, and editing labels. |
Delete Backup | deletebackup | Permission to delete backups of SAP keys from the CCKM. |
Rotate to Native Key | keyrotatetonative | Permission to rotate keys on SAP groups natively. |
Rotate to BYOK Key | keyrotatetobyok | Permission to rotate keys on SAP groups using BYOK. |
Synchronize | keysynchronize | Permission to synchronize SAP keys. |
Cancel | keysynchronize | Permission to cancel synchronization jobs. |
Remove | keyremove | Permission to remove SAP keys with their versions and backups from the CCKM. |
Example Request
curl -k 'https://127.0.0.1/api/v1/cckm/sap/groups/e4b2c2da-4226-4cd8-bbfa-b3ad7a7c05ea/update-acls' -X POST -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJjNTQ1ZjU0OS1iMDViLTQ2MWUtYmY4MC00NWI3ZjQxNmUwMjgiLCJzdWIiOiJsb2NhbHw3ODA0Y2QzOC01YWIyLTQ1MjktOTcwYi1hOTEyNzVmOTBkMzUiLCJpc3MiOiJreWxvIiwiYWNjIjoia3lsbyIsInByZWZlcnJlZF91c2VybmFtZSI6ImFkbWluIiwiY3VzdCI6eyJkb21haW5faWQiOiIwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDAiLCJncm91cHMiOlsiYWRtaW4iXSwic2lkIjoiZjg1MDQ5ZmUtZGM4Ni00NDVhLWEwMTUtNGUyM2NkNTc4OGM2Iiwiem9uZV9pZCI6IjAwMDAwMDAwLTAwMDAtMDAwMC0wMDAwLTAwMDAwMDAwMDAwMCJ9LCJqd3RpZCI6IjMzNWFjYjg0LTJjN2ItNGM1ZC1iMDIzLTgyOTQxNmZjYzUyZSIsImlhdCI6MTYzMzMzOTk4NywiZXhwIjoxNjMzMzQwMjg3fQ.wNxiuDp1f6ycODQUAPKtiyY-1wVzCkm6KjG5XYyUfh8' --compressed
Example Response
{
"application/json":{
"id":"ce0ffe4b-fbda-4e87-88af-4b9b4e6484f9",
"uri":"kylo:kylo:cckm:sfdc-organization:ce0ffe4b-fbda-4e87-88af-4b9b4e6484f9",
"account":"kylo:kylo:admin:accounts:kylo",
"application":"ncryptify:gemalto:admin:apps:kylo",
"devAccount":"ncryptify:gemalto:admin:accounts:gemalto",
"createdAt":"2021-08-25T04:30:47.915696Z",
"updatedAt":"2021-08-25T10:04:24.415596321Z",
"name":"orgnisation name",
"sfdc_org_id":"00DB000000012ABCDE",
"connection":"sfdc",
"cloud_name":"sfdc",
"organization_type":"Sandbox",
"refreshed_at":"2021-08-25T04:31:24.089748Z",
"acls":[
{
"user_id":"local|624b6c12-21d4-489a-ab8b-982f91f2f3aa",
"actions":[
"view",
"keydestroy"
]
},
{
"group":"CCKM Users",
"actions":[
"view"
]
}
]
}
}
Response Codes
Response Code | Description |
---|---|
2xx | Success |
4xx | Client errors |
5xx | Server errors |
Refer to HTTP status codes for details.